HSRP, routing issue

Hi,

i have a strange issue with an HSRP Setup.

I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an etherchannel over four fibre ports. S3 -S5 are the (L2) access layer.

Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.

HSRP is enabled, S1 is the active router and the STP root bridge.

But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.

A client from the access ports on S3 - 5 gets traffic from the internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the internet.

Why is S2 active and why route it traffic from the internet to the client?

HSRP, routing issue

Thomas

Thank you for the additional information. I believe that it confirms my guess in my recent post that the firewall does not have a route for the 10.2/16 network but is using ARP for every address in the network that it attempts to reach. In this case both of the switches receive the ARP request, both respond, and the firewall chooses one (typically the first one to respond), and this explains why you see the amount of traffic inbound on the interface of switch 2.

I believe that we now understand the problem. I am not a Linux expert so I can not tell you the details of how to fix the problem. But it would probably involve configuring a route on the firewall for the 10.2.0.0/16 network. And in this context it may make sense to go back to the question of running HSRP on the switch Gi0/1 interfaces. I now suggest that it would be a good thing to configure the switch Gi0/1 interfaces for HSRP and to use the virtual address that they share as the next hop of the route in the firewall. This would allow the firewall to continue to forward traffic through switch 2 if there were a problem with switch 1.

HSRP, routing issue

Thomas

Would you post the interface configuration from both switches for the Gi0/1 interfaces? You say that both are layer 3 interfaces but it is not clear whether that means that both are configured with no switchport and with an IP address on the interface or whether they are in a VLAN that has the layer 3 interface.

A related but slightly different question would be whether the switches see each other as CDP neighbors through the Gi0/1 interface?

From the symptoms I am guessing that the switch Gi0/1 interfaces do not talk directly to each other and for HSRP to work correctly the switch interfaces must be able to talk directly to each other. So if you can provide some additional information about the topology and the configuration then we may be able to find a solution for your problem.

HSRP, routing issue

I would like to add something....why do you need those Gig ports as L3? If you configure them as switchports and join them to the same VLAN then you can configure HSRP at the VLAN interface level with different priorities so you can decide which remains active and standby.

HSRP, routing issue

Thomas

Thank you for the additional information. I believe that it is helpful. The main thing that it shows is that there is not any standby configured on the Gi0/1 ports. If there is no standby/HSRP configured on the Gi0/1 port then why would you expect it to not be active?

I had assumed from the original post that HSRP was configured but not working for some reason. But this additional information shows that there is not HSRP configured on those interfaces and therefore it is normal behavior that both switch ports would be active.

With switch 1 being active for each of the VLANs I would expect most outbound traffic to use Gi0/1 of switch 1 and for very little (if any) traffic to use the interface on switch 2. But I would expect it to be active and acting as a backup if there should be a problem with switch 1.

HSRP, routing issue

I am not sure what advantage you will get from running HSRP on the Gi0/1 interfaces. Would the firewall to which they connect use the virtual address for anything?

And if you do want to configure HSRP then the configuration that you suggest is not correct. From an earlier post you gave us this from switch 1

S1#show running-config interface gigabitEthernet 0/1

!

interface GigabitEthernet0/1

description to_firewall

no switchport

ip address 192.168.99.2 255.255.255.248

so you can not use 192.168.99.2 as the standby address for switch 1 as you suggest here.

and similarly you can not use 192.168.99.3 as the standby on switch 2 since that is assigned as the interface address. For configuring HSRP each switch needs an IP address in the subnet and then the pair of interfaces share a virtual interface. so perhaps it might make sense to have both interfaces use

Re: HSRP, routing issue

If there is no standby/HSRP configured on the Gi0/1 port then why would you expect it to not be active?

And - yes, the posted HSRP setup for Gi0/1 is nonsense .. *shame on me*

I am not sure what advantage you will get from running HSRP on the Gi0/1 interfaces. Would the firewall to which they connect use the virtual address for anything?

No, the firewall will never use the virtual ip.

My primary intention was, to figure out why S2 has so much incoming traffic on Gi0/1. I had expected, that only S1 - Gi0/1 gets the traffic between firewall and the switch.

With switch 1 being active for each of the VLANs I would expect most outbound traffic to use Gi0/1 of switch 1 and for very little (if any) traffic to use the interface on switch 2. But I would expect it to be active and acting as a backup if there should be a problem with switch 1.

You are right. But i'am still wondering about the amount of incoming traffic on S2 Gi0/1.

Re: HSRP, routing issue

Thomas

Thank you. This has re-focused the discussion on the real issue. For much of this thread I have been assuming that the problem has to do with HSRP and with traffic outbound to the Internet. It is now much more clear that the question is really about traffic from the Internet coming to the switch interfaces.

And the answer to the question is to be found on the Linux firewall. Traffic from the Internet passes through the firewall and the firewall is making decisions on how to forward the traffic that results in more traffic to switch 2 interface than you expect. So why is the firewall doing this?

Can you tell us what is set up on the firewall, especially in terms of routing to the inside network? Does the firewall have a route to 10.2.0.0, to 10.2.2.0, to 10.2.4.0, and to 10.2.6.0 or does it just have a route to 10.0.0.0 or something like that? And what is the next hop for these routes?

I am going to make a guess at the problem. I am guessing that whatever route is set in the firewall does not have a next hop specified that is either switch 1 or switch 2 interface address. This could lead the firewall to ARP for the destinations. And if the firewall is ARP for the destination then some traffic would go through switch 1 and some traffic would go through switch 2 depending on which responded more quickly to the ARP request.

Re: HSRP, routing issue

I do not want distract you from the current conversation. But I got a different understanding of the problem description you gave.

" A client from the access ports on S3 - 5 gets traffic from the internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the internet. "

The HSRP config looks fine.

Are you trying to say that the taffic that client on s3 sends goes through gi 0/1 on S1 ( which it should) and the return traffic from internet comes trough gi 0/1 of the S2 ?

If that is correct then you are having a assymetric routing situation and you would need to fix it from the upstream router end. Make the gi 0/1 of S1 as the preffered route by tweaking the routing protocol.

HSRP, routing issue

Thomas

Thank you for the additional information. I believe that it confirms my guess in my recent post that the firewall does not have a route for the 10.2/16 network but is using ARP for every address in the network that it attempts to reach. In this case both of the switches receive the ARP request, both respond, and the firewall chooses one (typically the first one to respond), and this explains why you see the amount of traffic inbound on the interface of switch 2.

I believe that we now understand the problem. I am not a Linux expert so I can not tell you the details of how to fix the problem. But it would probably involve configuring a route on the firewall for the 10.2.0.0/16 network. And in this context it may make sense to go back to the question of running HSRP on the switch Gi0/1 interfaces. I now suggest that it would be a good thing to configure the switch Gi0/1 interfaces for HSRP and to use the virtual address that they share as the next hop of the route in the firewall. This would allow the firewall to continue to forward traffic through switch 2 if there were a problem with switch 1.

HSRP, routing issue

Thomas

I am glad that you have found the solution to your problem and that our discussion was helpful. It has been an interesting discussion and took us a while to get a correct understanding of the problem. Thank you for using the rating system to mark the question as answered (and thanks for the points). It makes the forum more useful when people can read about a problem (especially a problem as unusual as this one) and can know that a solution was found. Your marking has contributed to this process.

Question
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
view more

Symptoms
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
view more

I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...
view more